Action Required: Critical Vulnerability for Six Token Contracts on Multichain
A critical vulnerability that affected 6 cross-chain tokens was reported by security firm Dedaub. If you ever have approved any of these 6 tokens on the Router (WETH, PERI, OMT, WBNB, MATIC, AVAX), please login into https://app.multichain.org/#/approvals to remove any approvals of these 6 tokens asap. Otherwise, your assets will always be at risk. Please do not transfer any of these 6 tokens to your wallet before revoking the approvals. The risk will be eliminated instantly upon revoking approvals.
The liquidity for these 6 tokens is fixed now. All assets on both V2 Bridge and V3 Router are safe and all cross-chain transactions can be done safely as usual.
Technical details will be released later. Many thanks to security firm Dedaub.
- Who needs to revoke approvals
Only users who had approved the 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX) on Router are required to revoke approvals. For other people, no action is needed.
- How to revoke approvals
1.If you have approved any of the contracts of the 6 tokens (WETH, PERI, OMT, WBNB, MATIC, AVAX), you need to revoke approval(s) and the options will appear according to your past activity. For example, if you had given contract approvals of WBNB and AVAX, you will see both BSC and AVAX buttons as follows when you login into https://app.multichain.org/#/approvals
2. If the BSC/Avalanche network is not connected, you need to switch networks by clicking on ‘Switch to BSC’ or ‘Switch to Avalanche’ and you will see a revoke button then. Please click on ‘Revoke’.
3. After that, a Metamask window will pop up, please click on the ‘Confirm’ button
4. Wait for a few seconds and the notification of ‘Approve BNB’ will appear on the top right corner, which means you have revoked the WBNB approval.
5. In addition to WBNB on BSC, you still need to revoke the approval of AVAX on Avalanche in this scenario. Please switch to the Avalanche network to revoke. The process is the same as for WBNB.
- How to check the status of removal
To double check, you can simply refresh the page once you remove the approval(s). If the webpage shows ‘No actions needed’ as in the following screenshot, your removal process is completed.
If you have any questions, please reach out to us here: